<<< Date Index >>>     <<< Thread Index >>>

[SIG^2 G-TEC] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities




SIG^2 Vulnerability Research Advisory

DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities

by Tan Chew Keong
Release Date: 02 Feb 2005


ADVISORY URL
http://www.security.org.sg/vuln/desknow2512.html


SUMMARY

DeskNow Mail and Collaboration Server 
(http://www.desknow.com/desknowmc/index.html) is a full-featured and integrated 
mail and instant messaging server, with webmail, secure instant messaging, 
document repository, shared calendars, address books, message boards, 
web-publishing, anti-spam features, Palm and PocketPC access and much more.

A directory traversal vulnerability was found in DeskNow webmail file 
attachment upload feature that may be exploited to upload files to arbitrary 
locations on the server. A malicious webmail user may upload a JSP file to the 
script directory of the server, and executing it by requesting the URL of the 
upload JSP file. A second directory traversal vulnerability exists in the 
document repository file delete feature. This vulnerability may be exploited to 
delete arbitrary files on the server. 
 

TESTED SYSTEM

DeskNow Mail and Collaboration Server Version 2.5.12 on English Win2K SP4


DETAILS

On the Windows platform, the default installation of DeskNow Mail and 
Collaboration Server runs its webmail service using Tomcat Application Server 
with LOCAL SYSTEM privilege. This advisory documents two directory traversal 
vulnerabilities that may be exploited by a malicious webmail user to 
upload/delete files to/from arbitrary directories.

 
1. Insufficient input sanitization in attachment.do allows file upload to 
arbitrary directories. 

DeskNow's webmail allows a logon mail user to upload file attachments when 
composing an email. Lack of sanitization of the AttachmentsKey parameter allows 
the user to upload files to arbitrary location on the server.  More 
specifically, It is possible to use directory traversal characters to cause the 
uploaded file attachment to be saved outside the temporary directory. This may 
be exploited by a malicious webmail user to upload JSP files to the script 
execution directory of the server. After uploading the JSP file, it is possible 
to execute that file by directly requesting it's URL (i.e. 
http://[hostname]/desknow/jsp/test/poc.jsp). Successful exploitation will allow 
upload and execution of arbitrary JSP code with LOCAL SYSTEM privilege. E.g. a 
malicious user may upload a JSP file that gives him/her a reverse shell.


2. Insufficient input sanitization in file.do allows deleting of arbitrary 
files.

DeskNow's document repository feature allows a user to store files on the 
server via the web interface. A user is allowed to delete his/her own files. 
When the user selects his own file to be deleted, the file name is sent using 
the select_file parameter as a POST request to file.do. It is possible to use 
directory traversal characters within this parameter to delete files that do 
not belong to the user. 


PATCH

Upgrade to DeskNow Mail and Collaboration Server Version 2.5.14 or later.

 
DISCLOSURE TIMELINE

23 Jan 05 - Vulnerability Discovered.
24 Jan 05 - Initial Vendor Notification.
24 Jan 05 - Initial Vendor Reply.
25 Jan 05 - Vendor Released Version 2.5.13.
25 Jan 05 - Informed Vendor that Vulnerability is not Fully Fixed.
27 Jan 05 - Vendor Released Fixed Version 2.5.14.
02 Feb 05 - Public Release


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html 

"IT Security...the Gathering. By enthusiasts for enthusiasts."